CVE-2021-47952 (CVSS 9.8) — python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. A

A critical vulnerability has been published in the Python library jsonpickle, version 2.0.0, identified as CVE-2021-47952 with a CVSS score of 9.8. This flaw allows remote attackers to execute arbitrary Python commands by deserializing malicious JSON payloads that contain py/repr objects. The vulnerability was formally documented by the National Vulnerability Database on May 16, 2026, and poses a severe risk to any system using this library for deserialization.

Any organization that uses Python applications or services relying on jsonpickle 2.0.0 is affected, particularly those in financial services, healthcare, critical infrastructure, and technology sectors where data serialization is common. The risk is highest in environments that process untrusted JSON input, such as APIs, data pipelines, or configuration management systems. Compliance teams should treat this as a high-priority security incident due to the potential for full system compromise.

Compliance teams should immediately verify whether jsonpickle 2.0.0 is in use across their software inventory and prioritize patching to version 2.1.0 or later. If immediate patching is not possible, implement input validation to block py/repr objects and consider deploying runtime application self-protection controls. Additionally, update your vulnerability management register and ensure this CVE is included in your next regulatory reporting cycle, as applicable under frameworks like NIS2, DORA, or GDPR breach notification requirements.